[cabfpub] Draft Ballot 185 - Limiting the Lifetime of Certificates: User input

Ryan Sleevi sleevi at google.com
Fri Feb 10 16:10:00 UTC 2017

On Fri, Feb 10, 2017 at 2:37 AM, Dimitris Zacharopoulos via Public <
public at cabforum.org> wrote:
> Since we are talking about the Baseline Requirements, IMHO the 27 months
> proposed in the recent Google S/MIME policy
> <https://support.google.com/a/answer/7300887> (more or less, the same
> arguments apply for both certificate types) is a reasonable number that
> will bring consensus among all participants in the ecosystem (CAs,
> Subscribers, Browsers, Relying Parties).

Perhaps. However, I think it's important to remember, the CA/Browser Forum
is not a consensus driven organization.

What I mean by this is that, while it's true we have a procedure for voting
on what we believe to be the "Baseline" requirements to be, the Forum
exists to ensure that Root Stores do not introduce _conflicting_
requirements, which would then create conflicts for CAs. It does not define
what is "Best" practice, only what is "common" practice.

A natural consequence of this is that you see Root Store members already -
and have always had - requirements that go above and beyond what the
Baseline Requirements require. You can see this very evidently through the
policies of both Microsoft ( https://aka.ms/rootcert ) and Mozilla (

Each of these programs have taken a set of steps - beginning with the
Baseline Requirements - and layered upon them the necessary policies to
ensure the security needs of their users are met.

Similarly, if CAs are unable to recognize the critical need, it may become
incipient on root stores to simply apply such policies directly through
their root program requirements. The downside, to CAs, remains the same as
what existed prior to the Baseline Requirements - it increasingly adds
difficulty as to understand what the requirements are and what they are

I would hope that CA members recognize this, and carefully consider whether
they would prefer such policies to be enshrined in a commonly agreed upon
document, or whether they feel that they can continue to ignore the serious
security and ecosystem problems caused by long-lived certificates, and as
such, be expected to consult each Root Program's requirements on the
maximally valid certificate for the continued participation and recognition
of trust.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170210/ff4846aa/attachment-0003.html>

More information about the Public mailing list